Select region  
Global contacts

We operate in more than 50 countries around the world. If your country is not on the list, please refer to our global contacts.

View contacts
Global contacts

We operate in more than 50 countries around the world. If your country is not on the list, please refer to our global contacts.

View contacts
Global contacts

We operate in more than 50 countries around the world. If your country is not on the list, please refer to our global contacts.

View contacts
Global contacts

We operate in more than 50 countries around the world. If your country is not on the list, please refer to our global contacts.

View contacts
Global contacts

We operate in more than 50 countries around the world. If your country is not on the list, please refer to our global contacts.

View contacts
Responsibility

Principles for the Processing of Personal Data

1. General

1.1 The principles for the processing of personal data describe the general rules of processing personal data by ISS Eesti AS (hereinafter ISS) pursuant to the conditions provided by law.
1.2 Terms

Personal data any data that allow the identification of a person (for example, name, personal identification code, photo, address or other data specified in the Personal Data Protection Act). See section 4 of the Personal Data Protection Act.

Processing of personal data any activity performed with personal data. See section 5 of the Personal Data Protection Act.

1.3 Personal data collected and processed by ISS are protected by an access restriction.
1.4 In addition to the law, the processing of personal data also follows:
• the procedure of processing personal data (form 114)
• the data protection policy of the ISS Group
• the recruitment procedure (form 409)

2. Job applications and appointments

2.1 All documents linked to applying for a job contain personal data (such as an application with accompanying documents, correspondence with a candidate, information about the candidate collected from public sources). ISS presumes that the applicant has adhered to the Personal Data Protection Act in presenting the data of other people in their documents, and that ISS has, for example, the right to contact the persons designated as recommenders in the documents.
2.2 A candidate has the right to know what kind of data ISS has collected on them, to access the data, and to provide their own explanations. Upon applying for a position in ISS, personal data are collected on candidates and processed by persons working on relevant positions. All documents linked to a person’s application process have restricted access. Information about a person’s participation in the application process is also not to be disclosed.
2.3 Documents linked to application are registered in the WebDesktop document management software. Documents containing data are retained pursuant to the document retention periods in the list of documents provided in the procedure of processing personal data. Additional documents collected by ISS that have been documented but not registered are destroyed when no longer needed.

3. Concluded contracts and client data

3.1 ISS takes all precautionary measures (including administrative, technical and physical measures) to protect personal data.
3.2 Access to contracts entered into with natural persons and/or personal data obtained during the provision of service that may compromise a person’s privacy when disclosed (such as contact details) is only granted to persons involved in the relevant process.
3.3 To perform contractual obligations, ISS also processes client data we receive from our cooperating partners who are involved in the contracts between ISS and its clients. Client data required to perform contractual obligations include postal addresses to issue invoices, phone numbers to contact the client, and other sensitive data related only to that person.
3.4 The law is followed in the collection of personal data and data are collected to the extent that is necessary to perform contracts and to provide better service to clients.
3.5 Client contracts and data related to the provision of service (acts, orders, etc.) are entered into the Sales Logix client management software that can be accessed only within ISS. At that, data is processed only to the extent that is necessary to perform tasks.

4. Forwarding personal data to another institution or person

Documents with limited access are only issued to those institutions and persons who have a direct right and a valid need (need to know basis) to apply for the documents pursuant to the law (such as a body conducting pre-trial proceedings or a court, the police, a bailiff, a guardianship authority, an auditor, a supervisory authority, etc.).

5. The right to access one’s data and to request the correction of incorrect data

5.1 Everyone has the right to access their personal data that ISS has collected, acquaint themselves with the purpose for the processing of data and the (reasoning behind) retention periods. In order to exercise these rights, one must file a signed request with the human resources department.
5.2 To communicate personal data to a private person, ISS must confirm the identity of the person who filed the request for information. Data are issued in the manner desired by the requester within 30 days of receiving the request.
5.3 ISS does not issue personal data to the person who filed the request for information if it is impossible to avoid disclosing the data of other persons in the process. If possible, the requester is issued an extract of the document where the personal data of other persons has been redacted. Data are not issued without a legal basis.
5.4 Every person has the right to get confirmation that their personal data is processed without consent within the employment relationship and only with written permission outside the employment relationship (for publishing photos and other information in a magazine, for example).
5.5 Every person has the right to object to the processing of their personal data, including demanding that the processing of their personal data be terminated, that the disclosing of or allowing access to their personal data be terminated, and/or that the collected data be deleted or destroyed, if such a right arises from the Personal Data Protection Act or other legal act. Everyone has the right to demand that their personal data be transferred, and a right to withdraw their consent for processing their data at any time.
5.6 If a natural person finds that their rights have been violated by ISS in processing personal data, they have the right to file a request with ISS to terminate the violation.
5.7 Every person has, at all times, the right to turn to the Estonian Data Protection Inspectorate or the court to protect their personal data rights.
5.8 If ISS no longer has a legal basis to use a person’s personal data, the person may demand the use of data to be terminated or the data to be deleted before the prescribed term (generally one year).

6. Retention of personal data

6.1 Employment contracts, personal information forms and other personnel data is retained pursuant to the requirements provided by law and the procedure of processing personal data.
6.2 After the retention period has expired, documents/data are deleted or destroyed; any other personal data are also destroyed when no longer needed.

7. Notification obligation

7.1 ISS Estonia is required to notify data subjects of:

• every personal data processing breach, if it may cause discrimination, identity theft or fraud, financial or reputational damage, loss of confidentiality of personal data protected by professional secrecy, other types of economic or social damage, or if a person may be deprived of their rights, liberties or control over their personal data.

• amendment or deletion of personal data or restricting the processing of personal data.

7.2 The notification will occur within 72 hours of becoming aware of the breach or amendment.